PoliCTF 2015 - Even the server lies (on a couch unfortunately)

by cloudstrife

What do we have here? It seems a normal session between a user and some google servers, but actually one of them is lazy and it’s lying on a couch. What a bad luck! Will you be able to exploit this unforgivable behaviour?

The title is a hint: the server tells the client that the communication is encrypted with a certain ciphersuite, while actually the message number 13 has been tampered.

Since message 13 has been tampered with: in the field “encrypted data”, the original


has been replaced with


Padded with as many 00 as needed to match the original length.

Discarding the final 00 and converting 93a3c4b2c570e768f4044e0a4c5aeab7b1e2e26ac8371117 to an integer value we get n = 3620115404019777021855203292005859579843541360704566530327i which can easily be factorized in p = 49727547581930298376698201253, q = 72798993315633226794104718859.

n can be used as a 192 bits rsa modulus in a school textbook rsa implementation. Message 14 has been altered with the same procedure by injecting the value 925a684f87209401f4213cf1a6eca21c62d12703d61416bd which is the ciphertext encrypted with the public key <e,n> = <65537, n>

By factoring n and guessing e (really easy, since 65537 is by far the most common choice for the encryption exponent), one is able to compute z = phi(n) and thus the decryption exponent d. After the decryption the plaintext flag{fuuckk-rsa-use-ecc} is recovered.

Summing everything up:

Original ptx: "flag{fuuckk-rsa-use-ecc}"
Ptx length: 192
Decimal: p = 49727547581930298376698201253, q = 72798993315633226794104718859
Hex: p = a0ada9cc09068b740b0c04a5, q = eb39ea7760dc65daad8b060b
Decimal: n = 3620115404019777021855203292005859579843541360704566530327, and it's 192 bits long
Hex: n = 93a3c4b2c570e768f4044e0a4c5aeab7b1e2e26ac8371117, and it's 192 bits long
Decimal: e = 65537
Hex: e = 10001
ptx: 2511413510841792985603231251528729753957701240341594858365
Hex ptx: 666c61677b667575636b6b2d7273612d7573652d6563637d
Decimal ctx: 3588568898129748916244664946454451586293630107020164339389
Hex ctx: 925a684f87209401f4213cf1a6eca21c62d12703d61416bd
Decimal: z = 3620115404019777021855203291883333038945977835533763610216
Hex: z = 93a3c4b2c570e768f4044e08c073567447fff11c0fa00668
Decimal: d = 2393782461031189358974580616400752560778840891110230553921
Hex: d = 61a041491555fb2f636c154da434a04e73edc23993fb7541
Decimal ctx: 3588568898129748916244664946454451586293630107020164339389
Hex ctx: 925a684f87209401f4213cf1a6eca21c62d12703d61416bd
ptx: 2511413510841792985603231251528729753957701240341594858365
Hex ptx: 666c61677b667575636b6b2d7273612d7573652d6563637d
All ok? true
Decrypted message: "flag{fuuckk-rsa-use-ecc}"